1.
Why this research? ^
Among privacy protection tools, privacy impact assessment (PIA) recently got high on policy-makers’ and academia’s agendas. PIA has been defined in various ways, but essentially it is a systematic process for evaluating the potential effects on privacy of a project, initiative, or proposed system or scheme and finding ways, in consultation with stakeholders, to mitigate or avoid any adverse effects (Wright 2011, p. 123). As a matter of fact, the proposed General Data Protection Regulation in Art 33 provides for a data protection impact assessment framework.1
If we were to summarise briefly PIA advantages, we would point out identification and mitigation of risk (and evidence thereof); enhancement of informed decision-making; confirmation that an entity takes privacy seriously; avoidance of reputation loss and of unnecessary costs, among others (Wright 2012, p. 55). Stewart further adds that businesses able to sustain a high level of trust and confidence can differentiate themselves from their rivals and thereby gain a competitive advantage (Stewart 2007). Opponents would probably view PIA as a regulatory burden, needless expense and a cause for delays, especially when it is mandatory. It is not surprising that some of the business community would support PIA if it were quick, simple and cheap.
2.1.
Precaution – its origin and scope ^
Tools of risk assessment, including PIA (cf. infra, section 5.1), are one of the many applications of the precautionary principle. Its satisfying description can be found in the French Loi Barnier: the precautionary principle is a principle according to which “uncertainty caused by a lack of sufficient scientific and technical evidence should not refrain the adoption of effective and proportionate measures aiming at preventing the advent of a grave and irreversible damage to the environment, whose cost is economically acceptable.”2 In other words, the precautionary principle should guide governments’ actions in situations characterised by risks that are not constitutive of acute identified and informed dangers against which governments should take “preventive” action (risks are known, pre-emptive action can be taken). Its purpose is to minimise risks not presently acute nor clearly identified or informed but that, according to indications or uninformed abnormalities, may occur or become evident in the long term, and hence to maintain a margin for future developments (Hilty 2005, p. 27).
Kourilsky distinguishes between potential risks (i.e. uncertainties) and proven risks (i.e. acute dangers, “known” risks). The former will trigger a government response based upon the precautionary principle, whereas the latter will lead to a decision taken in the framework of the danger aversion principle (i.e. prevention) (Kourilsky 2002, p. 51). As Godard puts it, the precautionary principle aims not only at dangers and risks whose causes are undetermined, but whose very existence is problematic and yet unascertained (Godard 2000, p. 6). In its judgement on the validity of the Commission’s decision banning the exportation of beef from the UK, the ECJ has ruled “where there is uncertainty as to the existence or extent of risks to human health, the institutions may take protective measures without having to wait until the reality and seriousness of those risks become fully apparent.”3
The precautionary principle thus commands that in the face of a potential risk, action must be taken at the earliest possible stage. The decisional space where the precautionary principle lies is this “in-between”, where the level of scientific knowledge is not comprehensive enough to bring certainties concerning the existence of a particular danger, but is nonetheless sufficiently developed or informed by “the concerned” (“les riverains”) in order to raise questions and hypotheses relating to the existence of such dangers (Godard 2000, p. 14).
Understanding precaution as a principle of action requires determining the kind of actions that can be undertaken. Some procedural principles can be of help in that respect, such as comparing the merits and costs of different approaches or the need to take provisional measures (i.e. measures that can be revisable according to the evolution of scientific knowledge) (Kourilsky 2002, pp. 57-66).4 As the European Commission points out, “recourse to the precautionary principle does not necessarily mean adopting final instruments designed to produce legal effects”.5 On the contrary, the appropriate response in a given situation is the result of an eminently political decision (since science cannot provide answer or even questions) that weighs the acceptable level of risk and uncertainty that can be imposed on society, considering the particular risk or uncertainty at hand. Hence, in the face of a potential risk, the decision not to take any action may also be a valid response. Equally, the funding of a research programme or the decision to inform the public on the possible dangers of a phenomenon are also part of this wide range of actions that can be taken under the precautionary principle (Kourilsky 2002, pp. 57-66).
2.2.
Precaution and civil liability: a renewed duty of care ^
However, because of its nature inherently entangled to uncertain risks (as opposed to classical civil liability), precaution sheds a new light on the duty of care (Sadeleer 2002, p. 212.). In other words, because precaution is about taking actions, civil liability can only be understood in this perspective with reference to the duty of care (Sadeleer 2002, p. 216).
Hence, the principle of precaution translates less into a duty of care than into a duty to investigate. Fault would not be determined in relation to the information at hand, but also the information that should have been known, including working hypotheses not yet fully proved at the time of the event (Sadeleer 2002, pp. 212-213). Uncertain risks entail recourse to precautionary action, which in turn transforms the duty of care into a duty of “highest” or “utmost” care.
It could be argued that this extended duty of care stretches the notion of fault in such a broad fashion that it would end up transforming fault-based liability into strict one. For instance, under the Dutch tort law anyone who creates a danger is under a duty to prevent damage arising as a result of that danger. Equally, a person who fails to take measures to that effect or does so inadequately will be liable for the ensuing damage (Sadeleer 2002, p. 213).7 It appears quite clearly that one is at fault for any damage caused to a third person, since one is under the duty to prevent any damage from occurring. Being liable for any damage is precisely what strict liability is about. However, this duty of care is not unlimited, in that a person who is not aware and is not legally obliged to be aware of a possible danger cannot be deemed to have acted negligently (Sadeleer 2002, p. 213).
Posing some limits to the precautionary duty of care entails remembering that the classical duty of care is solely triggered in the case of foreseeable damage. The question of the foreseeability of damage is related to the triggering of precautionary measures. (From which degree of uncertainty should a risk be taken into account? Should totally hypothetical risks be considered?) In civil liability, it is enough that the damage is foreseeable in abstracto (only the complete unforeseeability could justify the exoneration from liability). Such a restrictive definition of unforeseeability is largely compatible with the ethos of precaution and avoids transforming precautionary fault-based liability into strict liability. In other words, is it fair to hold an entity liable where it was unable to foresee the damage or to avoid it? If we are of the opinion that this is not the case, it is therefore essential to distinguish between a person who could have not, in the strict sense, known the consequences of her activities, and a person who could have been aware of them had she taken the trouble to explore more carefully the risks the said activities posed to the environment. Only the activities of the latter should be judged according to precaution. In other words, one must be in the situation wherein she has the possibility to detect a risk and act accordingly. Only, in this situation will the precautionary duty of care be triggered (Sadeleer 2002, pp. 214-215).
3.1.
Higher standard of liability for dangerous activities ^
3.2.
Impact on liability ^
As Hedemann-Robinson pointed out (Hedemann-Robinson 2007, p. 513), the Directive employs a unique and pragmatic approach in applying civil liability to an environmental context. The orthodox remedy of monetary compensation is excluded from the range of available legal remedies. Instead, in order to ensure rectification of actual or threatened environmental damage, the Directive imposes an obligation on the operators to take either preventive action, if damage has not yet occurred but there is an imminent threat thereof (Art 5), or remedial action (Art 6), when damage has already occurred. As a general rule, the operator shall bear the cost of these actions (the “polluter pays” principle).
The Court further held that “the risk ceases to be a development risk and becomes a known risk not if and when the producer in question […] had the requisite knowledge, but if and when such knowledge were accessible anywhere in the world […]. Hence it protects the producer in respect of the unknown.” The development risk defence serves only to protect the producer from unknown risks (Ashurst 2006, p. 2).
In the Netherlands, in the Sanquin Foundation case,16 the Court held that Foundation, which had supplied the blood, was entitled to rely on the development risk defence. It had acted in compliance with the scientific and technical learning available at the moment of the blood donation and its delivery to the claimant (Bisschop 2011, p. 247).17 The infection had not been detected as the donor had only just contracted the HIV virus and his infection was in the three-month “window period” when detection was not possible by screening. This decision of the Amsterdam District Court has received considerable criticism (Ashurst 2006, p. 3).
It could be argued that the development risk defence reintroduces the notion of fault. In order to invoke this defence, an entity has to show it fulfilled its duty of care to acquire the state of scientific and technical knowledge when the product was designed and developed or the activity was undertaken. In other words, it might be required to demonstrate it was not negligent with regard to such knowledge. For instance, in the UK, in IBA v. EMI Electronics Ltd.18 the designer of a radio mast that collapsed in conditions of high winds and ice was found liable for failing to investigate fully the possible effects of such conditions on the structure (Deakin 2003, p. 636). In Germany, the Federal Court of Justice held on 2 February 1999 that if, following the proper use of a product, damage is caused because the product is defective, then the producer must show that it did not breach its duty of care and that it did not therefore act negligently (Best 2002).19
4.
Precaution, a nexus between strict and fault liability: the pivotal concept of development risk defence ^
5.
Can PIA mitigate civil liability? ^
5.1.
PIA – an implementation of precaution? ^
As seen is section 2 supra, precaution is a principle that is definitely located in the broader framework of risk analysis and which concerns a specific type thereof: uncertain ones. Consequently, and given the delicate nature of such risks, some authors have substantiated the precautionary principle by determining that its implementation is constituted of two stages: risk assessment and risk management (Deakin 2003, p. 636). Equally, Zander suggests that, in the framework of precaution, risk regulation is composed of risk assessment and risk management (Sadeleer 2007, pp. 18-20; Zander 2010, p. 15). As the European Commission argues, any approach based upon the precautionary principle should start with an (scientific) evaluation as complete as possible.20
Along with de Sadeleer, we consider impact assessment (be it in the field of privacy or environmental protection) as one way of implementing the precautionary principle, since just like risk assessments, it is precisely about reducing the “uncertainties associated with the potential impacts of a project” (Zander 2010, p. 17). In this case we may add the assessment of the risks is concentrated on the possible outcomes of the project.
Therefore, as a kind of risk assessment and risk mitigation tool, PIA is an implementation of the precautionary principle. Costa further argues that prior checking, a forerunner to PIA, envisaged in Art 20 of the Data Protection Directive,21 is such an implementation too (Costa 2012, p. 18). However, there is no specific prevision in relation to the realization of risk assessments (see also Wright & De Hert 2012).
5.2.
PIA – mitigation or exclusion of liability? ^
6.
Conclusion ^
We have shown that regardless of the civil liability standard, be it fault-based or strict, a good PIA – in certain situations – could waive such liability. This is a crucial incentive for a business to actually carry out a PIA. Therefore, to the typical list of PIA benefits, we add the following one: impact on liability.
Bibliography
Ashurst (2006). Interpretation of the Product Liability Directive.
Best, R. (2002). "A Comparison of Civil Liability for Defective Products in the United Kingdom and Germany." German Law Journal 3.
Bisschop, K., Jelsma, K. (2011). Netherlands. The International Comparative Legal Guide to: Product Liability 2011 - A practical cross-border insight into product liability work. London, Global Legal Group Ltd.
Callon, M., Lascoumes, P., Barthes, Y. (2001). Agir dans un monde incertain, essai sur la démocratie technique. Paris, Seuil.
Costa, L. (2012). "Privacy and the precautionary principle." Computer Law & Security Review 28: 14-24.
Deakin, S., Johnston, A., Markesinis, B. (2003). Markesinis and Deakin's Tort Law. Oxford, Clarendon Press.
Godard, O. (2000). "Le principe de précaution, une nouvelle logique de l’action entre science et démocratie." Philosophie Politique 11.
Hedemann-Robinson, M. (2007). Enforcement of European Union Environmental Law - Legal Issues and Challenges. London, New York, Routledge Cavendish.
Hilty, L., Som, C. (2005). "The Precautionary Principle, Sustainability and Ethical Aspects of the Information Society". The Precautionary Principle in the Information Society - Effects of Pervasive Computing on Health and Environment. L. Hilty, Behrendt, S., Binswanger, M., Bruinink, A., Erdmann, L., Fröhlich, J., Köhler, A., Kuster, N., Som, C., Würtenberger, F. Berne, TA-SWISS: 27-44.
Kourilsky, P. (2002). Du bon usage du principe de précaution. Paris, Odile Jacob.
Sadeleer, N. d. (2002). Environmental Principles - From political slogans to legal rules. Oxford, Oxford University Press.
Sadeleer, N. d. (2007). "The precautionary principle in European Community health and environment law: sword or shield for the Nordic countries?" Implementing the Precautionary principle - Approaches from the Nordic countries, EU and USA. N. d. Sadeleer. London, Sterling, Earthscan: 7-58.
Stewart, B. (2007). Privacy Impact Assessment Handbook. Wellington, Auckland, Office of the Privacy Commissioner.
Wright, D. (2011). "Should Privacy Impact Assessments Be Mandatory?" Communications of the ACM 8: 121-131.
Wright, D. (2012). "The state of the art in privacy impact assessment." Computer Law and Security Review 28(1): 54-61.
Wright, D., De Hert, P., Ed. (2012). Privacy Impact Assessment. Law, Governance and Technology. Dordrecht, Heidelberg, London, New York, Springer.
Zander, J. (2010). The Application of the Precautionary Principle In Practice - Comparative Dimensions. Cambridge, Cambridge University Press.
- 1 European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, Brussels, 25 January 2012.
- 2 “Le principe de précaution, selon lequel l'absence de certitudes, compte tenu des connaissances scientifiques et techniques du moment, ne doit pas retarder l'adoption de mesures effectives et proportionnées visant à prévenir un risque de dommages graves et irréversibles à l'environnement à un coût économiquement acceptable.” Loi no 95-101 du 2 février 1995 relative au renforcement de la protection de l'environnement [Law No 95-1010 of 2 February 1995 on the reinforcement of the protection of the environment], translation ours.
- 3 ECJ, The Queen v Ministry of Agriculture, Fisheries and Food and Commissioners of Customs & Excise, ex parte National Farmers' Union and Others, Judgment of 5 May 1998, Case C-157/96, § 63; UK v Commission, Judgment of 5 May 1998, Case C-180/96.
- 4 Callon et al. have resorted to the expression “measured action” to design decision-making in this framework.
- 5 European Commission, Communication from the Commission on the precautionary principle, COM(2000) 1 final, Brussels, 2 February 2000, p. 15.
- 6 This indeed is contrary to the widespread and loudly propagated, but nevertheless wrong and misleading narrative that represents the precautionary principle as the vector of immobilism, prohibition, anti-progress, and even worse, “back to the cavern thinking”.
- 7 Cf. in particular the references in Fn. 480 and 481.
- 8 European Commission, Report from the Commission on the Application of Directive 85/374 on Liability for Defective Products, COM(2000) 893 final, Brussels, 31 January 2001, p. 18.
- 9 Directive 2004/35/CE of the European Parliament and of the Council of 21 April 2004 on environmental liability with regard to the prevention and remedying of environmental damage.
- 10 Cf. European Commission, Summaries of legislation: Environmental liability – Directive, http://europa.eu/legislation_summaries/enterprise/interaction_with_other_policies/l28120_en.htm.
- 11 Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products.
- 12 ECJ, Commission v the UK, Judgment of 29 May 1997, Case C-300/95, § 29.
- 13 Cf. Art 52 of the European Patent Convention, http://www.epo.org/law-practice/legal-texts/epc.html.
- 14 European Commission, Report from the Commission to the Council, the European Parliament and the European Economic and Social Committee: Third report on the application of Council Directive on the approximation of laws, regulations and administrative provisions of the Member States concerning liability for defective products (85/374/EEC of 25 July 1985, amended by Directive 1999/34/EC of the European Parliament and of the Council of 10 May 1999), COM(2006) 496, Brussels, 14 September 2006, p. 10.
- 15 [2001] 3 All ER 289, QBD.
- 16 RB Amsterdam, 3 February 1999, NJ 1999 621.
- 17 Cf. Art 6:185 of the Dutch Civil Code.
- 18 House of Lords, [1980] 14 BLR 1.
- 19 BGH, Judgment of 2 February 1999; NJW 1999, p. 1028.
- 20 European Commission, Communication from the Commission on the precautionary principle, op. cit., pp. 12-13.
- 21 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- 22 See in particular Wright 2012 and Wright & De Hert 2012.